1) SOFTWARE DESCRIPTION"i>>?Caldera Form is a free and powerful WordPress plugin that createsresponsive forms with a simple drag and drop editor."It is reported to have i>>?100,000+ active installations at the moment of thiswriting.

2) VULNERABILITY OVERVIEWThe application fails to validate user-supplied input, hence it stores theunsanitized buffer in the database.The vulnerabilities reported here will be exploitable ONLY if certainconditions are met, which is not the case in a CF's default configuration(although still being vulnerable).

3.a) Stored XSS - publicWhen submitting a CF form, the plugin will show a greeting message tonotify the user that everything went ok.This message is editable by the site's admin and can contain part of theuser-supplied data (e.g. they're first name). In this case, simply injectHTML code into the parameter which gets returned in the greeting messageand submit the POST request. A JSON response will follow, containing, amongother data:- the greeting message ("html", which contains the malicious payload thatgets executed right away)- form's ID ("form_id")- data's ID ("cf_id")

To replicate this on a fresh install: - Create a new, default, contact form - Go to "Form Settings" tab and edit the success message to include,for example, the user's first name.e.g.: Form has been successfully submitted. Thank you %first_name%. - Save & publish - As an unauthenticated user, submit the contact form injecting HTMLcode in first name's parameter. XSS will be triggered right away - To recall the payload as a stored XSS, read the POST's response andpoint your browser to <target>/cf-api/<FORM_ID>/?cf_su=1&cf_id=<DATA_ID>

3.b) Stored XSS - admin interfaceCalderaForms gives the ability to notify the admin via email everytime aform gets submitted.Furthermore, an admin can choose to enable an "email transacion log" fordebugging purposes (disabled by default).If this configuration is in place, a copy of the malicious payloaddescribed above will be shown in the administration panel, when visitingthat form's malicious entry's details.

To replicate this on a fresh install: - Enable the transaction log (form -> edit -> email tab -> check"Enable email send transaction log") - Replicate the injection described at 3.a (all fields can be used thistime) as an unauthenticated user - Back again in the admin interface, visit form's entries, identify themalicious one and click on the "view" button

This will pop a details window and trigger the XSS.

3.c) Importing a weaponized form - admin interfaceCalderaForms gives the ability to import a form (JSON format).A malicious form field can be crafted which will trigger an XSS when saidfield gets displayed/edited after the import.

It's worth noting that this flaw does not depend on custom configurations,although it's not "remotely" and "automatically" exploitable. The problemhere arise, for example, when an admin imports a malicious JSON.

To replicate this on a fresh install: - Create a form and export it (JSON format) - Edit the json and inject HTML code. "label" and "slug" parameterswere tested, others may be vulnerable too. e.g.: { ... "label":"First<script>alert(1);</script> Name", "slug":"first_name\"/><script>alert(2);</script>" ... }

- Import the malicious form to trigger the XSS in the administrationinterface

4) REMEDIATIONUpdate to the latest version available.

If any personalized configuration is found exploitable, the following stepscan be followed, as a temporary mitigation strategy, if no update isavailable or updating is not an option, for whatever reason: - for every form, under "Form Settings", prune every variable that getsreturned to the user as a success message - for every form, under the "Email" tab, un-check "Enable email sendtransaction log" - for every form that gets imported perform a thorough review